Page tags

Add a new page

Windows 2008

In a forest there is already a two way transitive trust between domains throughout the complete forest. But let's say you have another forest (another company) that you need to give users access to you could manually setup a trust relationschip. When you want to access files or resources in another forest you will have to make a trust relationschip with.
When you want to create a trust you will go to Active Directory Domains and trusts and click on the properties of the domain and click properties. Then you would click on the tab Trusts.
In order to resolve that other forest domain you will have to setup a conditional forwarder in DNS!

When the wizard talks about This domain only or Both this domain and the specified domain you will need credentials in that other domain. (domain or enterprise admin!)
Also it is important when you see Domain Authentication or selective Authentication. The difference is that with selective Authentication you could specify which computer will be used to access resources in you domain.
So let's say you have a computer that you trust you would go to the computeraccount and on the tab security (advanced features) you will check mark - Allow to authenticate permission.
Now only that computer will be able to authenticate against our domain and no other computer can use the trust relationship you exploit any potentional harmfull things.
So that is to narrow down the permissions even further.

A realm trust is when e.g. you already have an infrastructure with kerberos authentication Version 5 and you move into active directory then you would create a realmtrust.

Forest trusts are not transitive, that means that when you create a trust with another forest and that other forest has already a trust with another forest, you cannot access those resources because the forest trusts are NOT transitive!

In a very complex network with different forests and domains it could be that to access resources in another domain in another forest will be very slow. You will need to be authenticated by that other domain so you will have to walk through the entire forest down to that other forest and down to that domain.
When you experience slowness in that procedure you could setup a shortcut trust.